Make the offline RAG chain observable without widening credential access
Some checks failed
verify / verify (push) Has been cancelled

Expose the verified synthetic retrieval path through a typed React client and a non-root Nginx edge while keeping database credentials and data-network reachability out of the browser tier. A fixed-origin gateway preserves request boundaries and now closes upstream streams even when downstream disconnects before body iteration. The deployment ADR and runbooks record the four-network topology and its accepted Web edge-egress risk.

Constraint: The previously exposed Bailian key must be revoked and no live provider credential may enter Git, images, logs, or the browser.
Rejected: Connect Web directly to the data network | expands lateral reach to PostgreSQL.
Rejected: Publish the database-aware API on the edge network | gives a credential-bearing process a public default route.
Rejected: Buffer streaming responses in either proxy | prevents incremental chat delivery in the future.
Confidence: high
Scope-risk: moderate
Reversibility: clean
Directive: Do not mark Stage 1 or Stage 2 complete until the rotated-key live smoke and remaining stage gates pass.
Tested: make verify; 65 backend tests; 14 frontend tests; Docker image build; container health and isolation probes; real HTTP demo/status/search/docs/OpenAPI checks.
Not-tested: Live Bailian models, real document ingestion, business chat SSE generation, and final browser screenshot automation because the browser skill runtime was unavailable.
This commit is contained in:
2026-07-12 17:38:57 +08:00
parent 2fa27ae71c
commit c3bad0f186
60 changed files with 9062 additions and 82 deletions

View File

@@ -5,7 +5,8 @@ from contextlib import asynccontextmanager
import httpx
from fastapi import FastAPI, Request, Response, status
from fastapi.responses import JSONResponse
from fastapi.responses import JSONResponse, StreamingResponse
from starlette.types import Receive, Scope, Send
UPSTREAM_ORIGIN = httpx.URL("http://api:8000")
MAX_REQUEST_BODY_BYTES = 1024 * 1024
@@ -53,6 +54,27 @@ RESPONSE_HEADER_ALLOWLIST = frozenset(
)
class _UpstreamStreamingResponse(StreamingResponse):
"""Close the upstream response even if downstream headers cannot be sent."""
def __init__(
self,
*,
upstream_response: httpx.Response,
content: AsyncIterator[bytes],
status_code: int,
headers: Mapping[str, str],
) -> None:
self._upstream_response = upstream_response
super().__init__(content=content, status_code=status_code, headers=headers)
async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
try:
await super().__call__(scope, receive, send)
finally:
await self._upstream_response.aclose()
def _allowlisted_headers(headers: Mapping[str, str], allowlist: frozenset[str]) -> dict[str, str]:
return {name: value for name, value in headers.items() if name.lower() in allowlist}
@@ -139,15 +161,23 @@ def create_gateway_app(transport: httpx.AsyncBaseTransport | None = None) -> Fas
content=body,
)
try:
upstream_response = await upstream_client.send(upstream_request)
upstream_response = await upstream_client.send(upstream_request, stream=True)
except httpx.RequestError:
return JSONResponse(
status_code=status.HTTP_502_BAD_GATEWAY,
content={"detail": "upstream unavailable"},
)
return Response(
content=upstream_response.content,
async def response_body() -> AsyncIterator[bytes]:
if upstream_response.is_stream_consumed:
yield upstream_response.content
else:
async for chunk in upstream_response.aiter_raw():
yield chunk
return _UpstreamStreamingResponse(
upstream_response=upstream_response,
content=response_body(),
status_code=upstream_response.status_code,
headers=_allowlisted_headers(
upstream_response.headers,